Why don't mail services handle DMARC?

T

tester122020-01-10 23:24:22

SPF

tester12, 2020-01-10 23:24:22

Configured DKIM, SPF, DMARC to protect against phishing/spoofing:

@	TXT	v=spf1 redirect=nicmail.ru		
phpmailer._domainkey	TXT	v=DKIM1; k=rsa; t=s; p=<открытый ключ>
_dmarc	TXT	v=DMARC1; p=reject; sp=reject; rua=mailto:[email protected]; fo=1

DKIM and SPF work. Yandex mail (web interface) reports that the sender and signature are confirmed.
If you send (phpmailer) a letter without a signature or signed with the wrong private key, Yandex shows that the letter is not signed. But! I have the "p=reject" parameter in DMARC. Yandex should generally reject unsigned letters.
And Yandex accepts them. And Mail.ru also accepts. Are these glitches in the mail services or am I doing something wrong?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Alexander NAZARIAN, 2020-01-12
@tester12

The "reject" policy only applies to emails that fail both SPF and DKIM.
That is, DMARC= fail IF (SPF=fail AND DKIM=fail).
In the case of (SPF=pass AND DKIM=pass) or (SPF=fail AND DKIM=pass), the letter is considered "authenticated" (DMARC=pass) and, accordingly, will not be rejected by the receiving server.
Here's the most successful diagram I've ever seen:
The only exception is Microsoft's mail services (Hotmail / Outlook / Office365). Incoming emails that fall under the "reject" policy are not rejected but placed in the "Junk" folder.
Read more here:
https://docs.microsoft.com/en-us/microsoft-365/sec...